Data Breach Roundup: May 2014


On a regular basis, eSecurity Planet looks back at data breaches we’ve covered over the past month, providing an admittedly unscientific but (we hope) interesting overview of the current breach landscape.

To get some perspective on the current range of threats and recent breaches, eSecurity Planet spoke with Rapid7 global security strategist Trey Ford.

Data Doctrine

It’s crucial, Ford says, to ensure that everyone in your organization is fully aware of the sensitivity of the data they may be handling. "A lot of people are posting data, they’re moving things around – they’re just trying to do their jobs – and for a number of reasons they may not always be aware that, OK, this is a list, this is a database, and some of this data is sensitive," he says.

While most companies are aware of the importance of protecting clearly sensitive data like Social Security numbers and credit card information, Ford says other data can easily slip through the cracks. "We’re in a culture where it’s been comfortable to give out your phone number, your email address, your mom’s maiden name – and we’ve forgotten that with just a few more data points, you can go through and start creating fraudulent accounts or purporting to be someone else," he says.

That concern should be just as clear for third-party vendors. These vendors played a significant role in a half-dozen data breaches in May, including one at retailer Lowe's.

"Attackers are going to be like water – they’re going to follow the path of least resistance," Ford says. "So it may be that a lot of your core systems are very carefully measured, but you don’t get to wash your hands and shrug off liability when you give sensitive data to external companies."

Post-breach Communication

Ford says the recent eBay breach serves as a good example of the importance of responding to a breach correctly. “EBay has historically very heavily invested in great technology, great people. They’ve had a very advanced security program, they’re very aggressive with their measurement strategy, they’re a metrics-driven security organization – and I’m confident that their internal response was actually very swift and well-executed internally,” he says.

The company’s problems following the breach, though, came from their failure to communicate clearly with those affected. "More information tends to be better than less. People want to be able to understand so they can maintain a level of trust," he says. "Being a little more honest with ourselves, with our businesses, and with our customers – a little more transparent – is going to help us all process and respond to this."

Encrypt It, Already!

Finally, Ford says it’s frustrating to see data breaches resulting from the theft of unencrypted laptops and USB drives continuing to be an issue. "Encryption technology exists, it’s pervasive, every major operating system in production used today has it or has it available, and it’s not even terribly expensive," he says. "The challenge lies in the fact that it’s hard to manage. There are concerns about, ‘What if the admin leaves, or what if we get locked out of something?’ – and those are valid concerns – but those problems have been solved, they’re addressable, and organizations not using encryption should be the exception, not the rule."

May 2014 Data Breaches

Employee Error: A former Snelling Staffing employee mistakenly exposed 9,757 people’s personal information during the installation of a cloud-based server; the personal information of 1,050 students who took part in San Diego State University‘s Pre-College Institute was mistakenly exposed; and the Social Security numbers of 2,166 former Johns Hopkins University students were mistakenly stored on a publicly accessible server.

Third-party vendors were a significant source of such breaches. Some 15,000 Boston Medical Center patients’ personal information was posted without password protection on MDF Transcription Services’ website; 5,261 former Molina Healthcare of New Mexico members’ protected health information was mistakenly exposed by vendor Creel Printing; and the personal information of 3,500 members of the New Zealand Dental Association was mistakenly made available online for more than a year.

An undisclosed number of Lake Erie College of Osteopathic Medicine students’ personal information was mistakenly made available online when vendor Hubbard-Bert’s test server was misconfigured; and an undisclosed number of Lowe’s employees’ personal information may have been exposed when vendor SafetyFirst mistakenly backed up the data to an unsecured server.

Hackers: A database containing 145 million eBay users’ encrypted passwords and other personal data was breached; French telecom Orange announced that 1.3 million customers’ personal information was stolen by hackers; Spotify asked all Android app users to upgrade their apps after its systems were breached; and Bitly announced that all users’ email addresses, encrypted passwords, API keys and OAuth tokens had been compromised.

Hackers accessed the names, addresses and Social Security numbers of an undisclosed number of University of North Carolina Wilmington (UNCW) students and an undisclosed number of ground(ctrl) users’ personal information may have been accessed when the company’s network was hacked; and hackers breached the system that processes customer credit and debit cards for Affinity Gaming‘s casinos.

Dogecoin wallet service Doge Vault was compromised by hackers; an undisclosed number of Paytime clients’ employees’ personal information may have been exposed when the company’s systems were accessed illegally; hackers stole credit card information from WooThemes customers; and hackers accessed an undisclosed number of Gingerbread Shed customers’ names, user names, passwords, addresses, phone numbers, email addresses and credit card information.

The American Institutes for Research acknowledged that 6,500 employees’ personal data may have been accessed when one of its servers was hacked; hackers accessed Avast forum users’ nicknames, user names, email addresses and hashed passwords; hackers accessed an undisclosed number of OFFICE customers’ email addresses, passwords, names, addresses, phone numbers and birthdates; and hackers stole employees’ and customers’ personal information from Monsanto subsidiary Precision Planting.

Third-party vendors were also a source of such breaches. Some DeKalb Health patient information may have been exposed when a server operated by the third-party vendor that runs its website was hacked; and an undisclosed number of AutoNation customers’ personal information may have been accessed when vendor TradeMotion’s system was hacked.

Insider Breach: A former Central City Concern employee may have inappropriately accessed an undisclosed number of clients’ personal information; approximately 2,400 UMass Memorial Medical Center patients’ personal information may have been accessed inappropriately by a former employee; and a former employee may have stolen an undisclosed number of patients’ personal data from Flowers Hospital‘s laboratory.

A former Blue Cross and Blue Shield of Kansas City employee may have stolen 2,546 members’ financial information; a former ProMedica Bay Park Hospital employee inappropriately accessed 594 patient records; a former Eastern Health employee inappropriately accessed 20 patient records; and a former Home Depot employee stole fewer than 500 customers’ credit card information and provided it to third parties.

Laptop/Drive Theft or Loss: The personal information of approximately 5,500 employees of benefits broker Maschino, Hudelson & Associates‘ customers may have been exposed when a laptop was stolen from an MHA employee’s car; and an undisclosed number of Green’s Accounting clients’ personal information may have been exposed when a network server was stolen from the firm’s offices.

An undisclosed number of Larsen’s Dental Care patients’ personal and medical information may have been exposed when an unencrypted hard drive was stolen from an employee’s vehicle; 2,962 Humana members’ personal information may have been exposed when an unencrypted USB drive and an encrypted laptop were stolen from an employee’s vehicle; and 1,213 Elliot Hospital patients’ personal information may have been exposed when four computers were stolen from an employee’s car.

Malware: An undisclosed number of Boomerang Tags customers’ personal information may have been exposed when malware was installed on the server used to host the company’s website;  and approximately 1,800 UC Irvine students’ personal information may have been exposed when university computers were infected with keylogging malware.

Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at